What is claimed is: 



1 1 . A tamper-resistant computer system having a CPU and a main memory 

2 for executing application software, comprising: 

3 a first operating system; and 

4 a second operating system; 

5 wherein the application software comprises a first component program 

6 executed by the first operating system, and a second component program executed by the 

7 second operating system, wherein the first component program has a user interface for 

8 receiving an operational instruction from a user of the computer system and for issuing a 

9 command to the second component program, and 

1 0 wherein the second component program performs the command issued by the 

M first component program if execution thereof has been designated as permitted in advance, 

if thereby preventing the second component program from being accessed by the user. 

CI 

1 2. A tamper-resistant computer system as claimed in claim 1, further 

r 2 comprising a communication control program that sends a command issued by the first 

,j 3 component program to the second component program if execution thereof is permitted. 

H 3. A tamper-resistant computer system as claimed in claim 2, further 

5 comprising a multi-OS control program for controlling the first and second operating 

"3 systems; 

4 wherein the multi-OS control program establishes a particular region in a 

5 memory area managed by the first operating system so that the particular region can be 

6 referred to by the communication control program, wherein the user interface of the first 

7 component program writes the command into the particular region for issuance thereof, and 

8 wherein, by referring to the particular region, the communication control 

9 program reads a command stored in the particular region by the first component program, and 

10 then, by making reference to a list of the permitted commands held in a memory area 

1 1 managed by the second operating system, the communication control program sends the 

12 command to the second component program if the command is in the list. 

1 4. A tamper-resistant computer system as claimed in claim 3 further 

2 including a tamper-resistant hardware module for storing a system boot program; 
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3 wherein the tamper-resistant computer system includes an initial program for 

4 reading the system boot program at system startup, 

5 wherein the system boot program includes a function for executing the multi- 

6 OS control program, and wherein the multi-OS control program includes a function for 

7 executing the first and second operating systems. 

1 5. A tamper-resistant computer system as claimed in claim 4, 

2 wherein the second component program comprises a system boot program, 

3 cryptographic software, and digital signature, wherein the hardware module includes a 

4 decryption key for the cryptographic software and a function for authenticating the system 

5 boot program, 

6 wherein the system boot program includes a function for performing 

| j authentication for the hardware module, a function for extracting the decryption key for the 

i§| cryptographic software from the hardware module, and a function for decrypting the 

if! cryptographic software with the decryption key extracted from the hardware module, and 
1 6s wherein, according to a command from the first component program, the 

lji) system boot program is executed, and in response the cryptographic software is decrypted 

1% and executed. 

0 6. A tamper-resistant computer system as claimed in claim 5 wherein the 
2 1 hardware module further includes a decryption key for cryptographic data to be used by the 
IT* second component program, and wherein the second component decrypts the cryptographic 
4 data. 

1 7. A tamper-resistant computer system as claimed in claim 3, 

2 wherein, at start of the second component program, the second component 

3 program adds a command permitted for the first component program to the list of permitted 

4 commands, and 

5 wherein, at the time of termination of the second component program, the 

6 second component program removes the command from the list of permitted commands. 

1 8. A tamper-resistant computer system as claimed in claim 1 , wherein the 

2 second component program comprises a command processing program for command 

3 execution, and a communication control program through which a command issued by the 
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first component program is sent to the command processing program if execution thereof is 
permitted. 



1 9. A method for installing system software onto a tamper-resistant 

2 computer system comprising: 

3 providing an installation program for system software which includes an 

4 installation start program, a cryptographic system file, and a digital signature, and wherein 

5 the installation start program includes a function for extracting a decryption key for the 

6 cryptographic system file from the hardware module and a function for decrypting the 

7 cryptographic system file with the decryption key extracted from the hardware module; and 

8 executing the installation start program; and decrypting the cryptographic 

9 system file. 

C% 10. A method as in claim 9, wherein the method further comprises: 

2, providing an installation program for application software which installation 

I Jj program includes a first installation program executed hy a first operating system and a 
i £ second installation program executed by a second operating system; wherein the first 

5 P installation program includes a function for writing a first component program into a memory 

i& area managed by the first operating system and a function for calling the second installation 

% program, wherein the second installation program has a function for writing the second 

81 component program into a memory area managed by the second operating system; 
% executing the first installation program; 

10 calling the second installation program; and 

I I executing the second installation program. 

1 1 1 . A method as in claim 9, wherein the installation program for the 

2 application software includes a digital signature, and a step is performed of checking the 

3 digital signature before writing the first and second component programs into the memory 

4 areas. 
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